Description

On January 13, 2025, Brittany Canup, a former Gas Express employee who last worked for the company in 2020, received a letter from her former employer informing her that the personal information retained by her former employer may have been compromised in a security incident that occurred on May 20, 2024, when unauthorized parties gained access to some of the company’s internal systems. According to the letter, Canup and an undisclosed number of other potentially affected employees would receive 24 months of complimentary identity monitoring services to help detect any possible misuse of their exposed information.

Gas Express, the largest franchisee of Circle K convenience stores in the U.S., operates 160 locations across four states. The breach affected Canup and other current and former employees, exposing sensitive information including:

  • Names
  • Social Security numbers
  • Driver’s license numbers

Gas Express confirmed that no payment card information or medical records were exposed in the incident. They also sent a breach notification to the Massachusetts Attorney General on the same date. Beyond that, the company has not disclosed any details regarding the attack.

 

Basis of the Case

The lawsuit Brittany Canup v. Gas Express LLC (Case Number: 1:25-cv-00396) was filed on January 29, 2025, in the U.S. District Court for the Northern District of Georgia. The class action suit centers on two main allegations:

  1. Delayed Notification: Despite discovering the data breach in May 2024, Gas Express waited seven months to inform affected employees. The lawsuit contends that this delay in reporting and identifying the attack caused additional harm to the victims.
  2. Inadequate Security Measures: The suit alleges that Gas Express failed to implement “reasonable data security measures” that could have prevented the breach. It argues that Gas Express had an implied contract with Canup and other employees to adequately safeguard their personal information.

Canup is seeking Compensatory damages, reimbursement of out-of-pocket costs, and injunctive relief including improvements to Gas Express’ data security systems.

 

Call to Action

This suit highlights the importance of a well-structured Incident Response Plan (IRP) that ensures coordinated decision-making and efficient communication during a security incident. An IRP also includes clear notification procedures, enabling prompt reporting to regulators, authorities, and affected individuals. Timely notification would have given Gas Express employees the opportunity to take preventive measures, such as credit monitoring and fraud alerts, reducing potential harm.

While the specific method of the attack on Gas Express remains undisclosed, it’s important to recognize that all enterprises, including Gas Express, inherently face digital vulnerabilities and risks. No organization is immune to these challenges. The key is to identify these risks and create a strategy that incorporates reasonable security measures to mitigate them.

A Duty of Care Risk Analysis (DoCRA) provides a structured way to identify, assess, and prioritize risks so that organizations can allocate resources more effectively and improve overall risk management. DoCRA aligns with judicial and regulatory expectations for demonstrating “due care,” and “reasonable” and “appropriate” safeguards. DoCRA addresses the interests of all parties potentially affected by the identified risks, allowing companies to balance their mission and objectives with their duty to protect others from harm.

HALOCK Security Labs has dedicated teams that specialize in conducting comprehensive risk analyses. Our experienced experts work methodically to identify your organization’s risk exposure to help you define acceptable risk thresholds and develop reasonable safeguards.